每年 AV-Comparatives 都會按照五個主要測試項目,評估 I.T. 安全產品並頒發金、銀、銅獎項。測試人員對 ESET 的表現充分肯定,獲得了「性能表現」和「誤報率測試」的金獎。
在 AV 測試方面,測量其「可靠性」與「檢測力」同樣重要。只要一個誤報,可能需要工程和支援團隊的大量資源來解決問題。更重要的是,它甚至會導致重要的數據丟失或系統無法使用。所以要做到每一次都準確無誤,是至關重要的,而 ESET 毫無疑問成功了。在全年進行大量的誤報率測試後,AV-Comparatives 確認 ESET 在2017 年的所有測試中都沒有誤報。這是其他安全產品方案無法做到的,因此 ESET 獲得了金獎。
ESET Internet Security 在全年進行了兩項測試後也得到了認可,因為它在執行任務時對系統性能的影響很小,故再獲得另一個金獎。 AV-Comparatives 表示,他們發現軟件「非常易於使用,這要感謝卓越的用戶界面和自配置的防火牆」。
閱讀 AV Comparatives 2017 報告
ESET Endpoint Security for macOS – 無可挑剔的保護
雖然很多人可能不願相信,但 Mac 用戶正日漸成為黑客的主要目標。即使在 macOS 上,惡意軟件也在呈指數級的增長,而在商業領域,行業專家認為,針對企業環境中的 Mac 的高端持續威脅數量也正在上升。
因此,讓 Mac 用戶進一步關注安全問題,尋找滿足其安全需求而又不影響系統性能的解決方案,變成了一個重要的課題。當 AV-TEST 評估針對 macOS 的 ESET Endpoint Security 時,很明顯看到它達到了 Mac 用戶的預期。
在針對企業用戶測試的解決方案中,ESET 實現了完美檢測,識別並阻止所有 514 個 macOS 威脅。此外,測試人員對 ESET 低誤報率及其對「潛在不受歡迎的軟件」(PUA)的行為印象深刻。實際上,ESET 在 98% 和 100% 之間篩選出近 700 個 PUA。總體而言,AV-TEST 給予 ESET 的評語是:提供的保護措施簡直就是無可挑剔。
閱讀 Put to the Test: Antivirus Solutions for MacOS Sierra 報告
這類病毒並非善類,會大大延長用戶感染惡意代碼後的痛苦和不便。如果您的防毒軟件只掃描硬碟和記憶體,而不掃描 UEFI 的話,則您的電腦就有感染這類的病毒的風險,而您自己卻全然不知。正因如此,我們推薦您使用具有 UEFI 病毒掃描功能的防毒軟件,例如 ESET 的全系列防毒產品。
為何我的設備內有 UEFI?
電腦設備是借助代碼執行來運行的:人們把此類指令稱為軟件,軟件能夠幫助手提電腦和智能手機等硬件設備發揮功效。向設備輸入代碼,可借助多種方式,例如,可以從硬碟上所存儲的文件或 USB 記憶體中讀取,或通過網絡磁碟連接傳遞,但當用戶打開電腦的電源後,設備首先必須啓動(bootstrap),最先執行的這部分代碼通常存儲在設備內部的一塊晶片之中,習慣上稱為firmware,其中可包括「開機自我檢測」程式,以便確保設備元件運行正常,之後再向記憶體中加載基本輸入輸出處理指令。如您較為熟悉電腦的話,您可能已經知道,該晶片中所存儲的代碼被稱為「BIOS」,即基本輸入輸出系統。
Previously unreported samples of Hacking Team’s infamous surveillance tool – the Remote Control System (RCS) – are in the wild, and have been detected by ESET systems in fourteen countries.
Our analysis of the samples reveals evidence suggesting that Hacking Team’s developers themselves are actively continuing the development of this spyware.
From Hacking Team to Hacked Team to…?
Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.
The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied.
When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.
Following the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.
Having just concluded our research into another commercial spyware product, FinFisher, two interesting events involving Hacking Team occurred in close succession – the report about Hacking Team’s apparent financial recovery and our discovery of a new RCS variant in the wild with a valid digital certificate.
The spyware lives on
In the early stages of this investigation, our friends from the Citizen Lab – who have a long record of keeping track of Hacking Team – provided us with valuable input that led to the discovery of a version of the spyware currently being used in the wild and signed with a previously unseen valid digital certificate.
Our further research uncovered several more samples of Hacking Team’s spyware created after the 2015 hack, all being slightly modified compared to variants released before the source code leak.
The samples were compiled between September 2015 and October 2017. We have deemed these compilation dates to be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few days of those dates.
Further analysis led us to conclude that all the samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.
One indicator supporting this is the sequence of digital certificates used to sign the samples – we found six different certificates issued in succession. Four of the certificates were issued by Thawte to four different companies, and two are personal certificates issued to Valeriano Bedeschi (Hacking Team co-founder) and someone named Raffaele Carnacina, as shown in the following table:
Certificate issued to
Validity period
Valeriano Bedeschi
8/13/2015 – 8/16/2016
Raffaele Carnacina
9/11/2015 – 9/15/2016
Megabit, OOO
6/8/2016 – 6/9/2017
ADD Audit
6/20/2016 – 6/21/2017
Media Lid
8/29/2016 – 8/30/2017
Ziber Ltd
7/9/2017 – 7/10/2018
The samples also have forged Manifest metadata – used to masquerade as a legitimate application – in common, appearing as “Advanced SystemCare 9 (9.3.0.1121)”, “Toolwiz Care 3.1.0.0” and “SlimDrivers (2.3.1.10)”.
Our analysis further shows that the author(s) of the samples have been using VMProtect, apparently in an effort to make their samples less prone to detection. This was also common among pre-leak Hacking Team spyware.
The connections among these samples alone could have originated with virtually any group re-purposing the leaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.
The versioning (which we accessed after overcoming VMProtect protection) observed in the analyzed samples continues where Hacking Team left off before the breach, and follows the same patterns. Hacking Team’s habit of compiling their payloads – named Scout and Soldier – consecutively, and often on the same day, can also be seen across the newer samples.
The following table shows the compilation dates, versioning and certificate authorities of Hacking Team Windows spyware samples seen between 2014 and 2017. Reuse of leaked source code by Callisto Group is marked in red.
Furthermore, our research has confirmed that the changes introduced in the post-leak updates were made in line with Hacking Team’s own coding style and are often found in places indicating a deep familiarity with the code. It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code.
One of the subtle differences we spotted between the pre-leak and the post-leak samples is the difference in Startup file size. Before the leak, the size of the copied file is padded to occupy was 4MB. In the post-leak samples, this file copy operation is padded to 6MB – most likely as a primitive detection evasion technique.
Figure 1 – Startup file size copy changed from 4 MB pre-leak to 6MB post-leak
We found further differences that fully convinced us of Hacking Team’s involvement. However, the disclosure of these details could interfere with the future tracking of the group, which is why we choose not to publish them. We are, however, open to share these details with fellow researchers (for any inquiries contact us at threatintel@eset.com).
The functionality of the spyware largely overlaps with that in the leaked source code. Our analysis so far has not confirmed the release of any significant update, as promised by Hacking Team following the hack.
As for the distribution vector of the post-leak samples we analyzed, at least in two cases, we detected the spyware in an executable file disguised as a PDF document (using multiple file extensions) attached to a spearphishing email. The names of the attached files contain strings likely aimed to reduce suspicion when received by diplomats.
Figure 2 – Investigation timeline
Conclusion
Our research lets us claim with high confidence that, with one obvious exception, the post-leak samples we’ve analyzed are indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated actors, such as in the case of Callisto Group in 2016.
As of this writing, our systems have detected these new Hacking Team spyware samples in fourteen countries. We choose not to name the countries to prevent potentially incorrect attributions based on these detections, since the geo-location of the detections doesn’t necessarily reveal anything about the origin of the attack.
Serial Number: 2c e2 bd 0a d3 cf de 9e a7 3e ec 7c a3 04 00 da
SHA-1 samples
27f4287e1a5348714a308e9175fb9486d95815a2
71a68c6140d066ca016efa9087d71f141e9e2806
dc817f86c1282382a1c21f64700b79fcd064ae5c
SHA-1 samples
27f4287e1a5348714a308e9175fb9486d95815a2
71a68c6140d066ca016efa9087d71f141e9e2806
dc817f86c1282382a1c21f64700b79fcd064ae5c
C&Cs
188.226.170.222
173.236.149.166
Samples signed by Megabit, OOO
Thumbprint: 6d e3 a1 9d 00 1f 02 24 c1 c3 8b de fa 74 6f f2 3a aa 43 75
Serial Number: 0f bc 30 db 12 7a 53 6c 34 d7 a0 fa 81 b4 81 93
SHA-1 samples
508f935344d95ffe9e7aedff726264a9b500b854
7cc213a26f8df47ddd252365fadbb9cca611be20
98a98bbb488b6a6737b12344b7db1acf0b92932a
cd29b37272f8222e19089205975ac7798aac7487
d21fe0171f662268ca87d4e142aedfbe6026680b
5BF1742D540F08A187B571C3BF2AEB64F141C4AB
854600B2E42BD45ACEA9A9114747864BE002BF0B
C&Cs
95.110.167.74
188.226.170.222
173.236.149.166
46.165.236.62
Samples signed by Raffaele Carnacina
Thumbprint: 8a 85 4f 99 2a 5f 20 53 07 f8 2d 45 93 89 af da 86 de 6c 41
Serial Number: 08 44 8b d6 ee 91 05 ae 31 22 8e a5 fe 49 6f 63
SHA-1 samples
4ac42c9a479b34302e1199762459b5e775eec037
2059e2a90744611c7764c3b1c7dcf673bb36f7ab
b5fb3147b43b5fe66da4c50463037c638e99fb41
9cd2ff4157e4028c58cef9372d3bb99b8f2077ec
b23046f40fbc931b364888a7bc426b56b186d60e
cc209f9456f0a2c5a17e2823bdb1654789fcadc8
99c978219fe49e55441e11db0d1df4bda932e021
e85c2eab4c9eea8d0c99e58199f313ca4e1d1735
141d126d41f1a779dca69dd09640aa125afed15a
C&Cs
199.175.54.209
199.175.54.228
95.110.167.74
Samples signed by Valeriano Bedeschi
Thumbprint: 44 a0 f7 f5 39 fc 0c 8b f6 7b cd b7 db 44 e4 f1 4c 68 80 d0
Serial Number: 02 f1 75 66 ef 56 8d c0 6c 9a 37 9e a2 f4 fa ea
SHA-1 samples
baa53ddba627f2c38b26298d348ca2e1a31be52e
5690a51384661602cd796e53229872ff87ab8aa4
aa2a408fcaa5c86d2972150fc8dd3ad3422f807a
83503513a76f82c8718fad763f63fcd349b8b7fc
C&Cs
172.16.1.206
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
As many as 43% of online login attempts globally are made by bots that are used for evil ends, as attackers are increasingly leveraging the automated tools for credential abuse, a report by Akamai has revealed.
Focusing on data for November, 2017, the content delivery network provider found that 3.6 billion out of 8.3 billion login requests during that month were malicious, specifically “attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet”.
A breakdown of the figures shows that the websites of retailers handled the highest number of login requests in November – 2.8 billion. “Only” 36% of them were intended to break into the accounts, according to Akamai’s Fourth Quarter 2017 State of the Internet / Security Report.
Meanwhile, the hospitality industry had to contend with the highest concentration of bad bots. A staggering 82% of nearly 1 billion login attempts on the websites of airlines, hotels and online travel agencies were found to be malicious.
Swarms of villain bots also swooped on the sites of high-tech businesses, with 57% out of 1.4 billion login attempts deemed malevolent.
The data was obtained by Akamai’s identifying “IP addresses that make multiple attempts to log into accounts using leaked credentials with no other activity to the target site”.
The data set covers mainly websites that use email addresses as login names. As a result, Akamai cautioned that the figures may understate the extent of the problem in industries in which email addresses are not used as user IDs, notably the financial industry.
Credential abuse attempts according to selected industries (Source: Akamai, Fourth Quarter 2017 State of the Internet / Security Report)
Bots that traverse the internet on behalf of their human operators can fulfill both legitimate and malicious automated tasks. Statistics indicate that bot-driven internet traffic, by helper and harmful bots combined, surpasses human traffic.
“Increased automation and data mining have caused a massive flood of bot traffic to impact websites and Internet services. Although most of that traffic is useful for Internet businesses, cybercriminals are looking to manipulate the powerful volume of bots for nefarious gains,” Akamai’s senior security advocate Martin McKeay is quoted as saying.
“Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal,” he added.
In an automated technique known as ‘credential stuffing’, criminals leverage stolen or leaked access credentials that belong to one account in order to break into other – often higher-value – accounts. This tactic has been found to pay dividends in anywhere between 0.1% and 2% of attempts, owing its success primarily to the fact that many netizens recycle their credentials across multiple accounts. Databases with reams of stolen username and password pairs can be easily bought online.
DDoS traffic
After several quarters of increases, the number of distributed denial-of-service (DDoS) attacks dropped by less than 1% in the fourth quarter of 2017 compared to the third quarter. On an annual basis, however, the attacks were up 14%, according to Akamai’s stats.
The gaming industry bore the brunt of the onslaughts, suffering 79% of all DDoS traffic. Germany and China between themselves accounted for the majority of source IP addresses involved in the attacks.
To say that DDoS attacks aren’t going anywhere would be an understatement, nor have we seen the last of Mirai. The notorious botnet, which took the internet by storm in the fall of 2016, remains alive and kicking. This is not least because of the proliferation of hackable Internet-enabled things, coupled with attackers continuing to adapt Mirai’s source code to befit their evil intentions.
Web app attacks
The number of web application attacks decreased by 9% following a quarter-over-quarter jump of 30% in the third quarter. They still rose by one-tenth compared to the last three months of 2016, however.
This type of threat most commonly involves scans to identify vulnerable sites with the ultimate aim of data thefts or other compromises. SQL injections, which Akamai highlighted as “easily automated and scalable”, accounted for one-half of web app attacks. On 36%, local file inclusion was the second-most-frequent attack vector.
The United States is by far both the top source and top target of web app attacks. The incursions that originate in the US soared by 31% compared to the last quarter of 2016.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.